Method and Arrangement in an Access System

ABSTRACT

An access node connected to end-users, routers, and a DHCP-server. The end-user defines desired services provided via the routers. A purpose is to automatically provide simultaneous access to services via two or more of the routers, although the end-user simultaneously handles only one router. The connections are secure. The end-user requests one of the services. The access node identifies the end-user and sends a corresponding request to the DHCP-server, which dynamically allocates addresses to the end-user and to all the routers for the desired services. The access node snoops the addresses in a DHCP option message from the DHCP-server, resolves the router addresses, stores IP router addresses and IP MAC addresses in a memory and sets MAC addresses in MAC filters. An option reply with one router is sent to the end-user, which after request for one service, reaches all the services stored in the memory.

TECHNICAL FIELD OF THE INVENTION

The present invention refers to providing multiple services in an accesssystem.

DESCRIPTION OF RELATED ART

A user of services provided via telecommunication networks often needsto have simultaneous access to a plurality of service providers. It isalso essential that the connections set up are secure and are unable touse for other subscribers than the user in question.

A mechanism known as MAC-Forced Forwarding MFF ensures secureconnections. The mechanism ensures that all end-users connected to aspecific Service VLAN inside an Ethernet Aggregation Network are allowedaccess only to a default gateway and not directly to each other or toother edge nodes attached to the service VLAN. The MFF mechanism alsopermits an access node, to which the end-users are connected, todynamically learn the address of the mentioned default gateway to allowaccess to for each end-user IP host. This is done by the access nodesnooping a DHCP reply to the end-user IP host after a DHCP request foran IP address from the end-user. The MFF mechanism was designed withsingle-edge access per IP host in mind, i.e. for access to one defaultgateway. The MFF mechanism is more closely described in T. Melsen, S.Blake: “MAC-Forced Forwarding: A Method for Traffic Separation on anEthernet Access Network”, available on the web atdraft-melsen-mac-forced-fwd-03.

Support for a general multi-edge access, i.e. simultaneous access to theplurality of service providers, requires the end-user IP host to be ableto access a multiple number of edge nodes simultaneously. This enablesso called true triple-play scenarios, in which a single end-user IP hostcan access e.g. high-speed Internet service, Voice over IP service andIPTV service simultaneously, delivered by separate edge nodes. This ismade possible by provisioning the edge nodes IP addresses statically inthe access node. An operator of the network writes the addressesmanually in the access node. The method is simple and secure but isrelatively cumbersome.

SUMMARY OF THE INVENTION

The present invention is concerned with a main problem to provide for anend user to have simultaneous and secure access to multiple routers.Manual assignment of multiple IP-addresses to the end-user is a part ofthe problem.

A further problem is that the set up connections are secure and areavailable only for the end-user in question.

Still a problem is to prevent said end-user to get access to a servicethat is not allowed for the user.

The problem is solved by an access node snooping and storingIP-addresses of the routers the end-user is allowed to access. Therouters IP addresses are resolved into MAC addresses by the access nodeusing standard Address Resolution Protocol ARP. The IP addresses of theallowed routers are communicated dynamically to the access node.

Somewhat more in detail the problem is solved in that the access nodereceives a request concerning a service that the end-user is entitledto. The access node sends the request to a server and receives a replywith a dynamically assigned end-user host IP address, and IP addressesto routers that should be accessible by the user. The access node readsthe reply, saves the routers IP address and resolves the routers MACaddresses. The access node sends a reply to the end-user with at leastone of the IP router addresses.

A purpose of the present invention is to provide a more flexible accessscheme, e.g. for triple play scenarios, by allowing end-users IP hoststo have simultaneous access to multiple routers.

Another purpose is to avoid manual configuration of accessible routersand instead provide dynamic configuration.

A further purpose is to give IP hosts, which can only handle a singlerouter, access to multiple routers.

Still a purpose is to make access unable to a service for a not entitledend-user.

Still another purpose is to provide secure connections.

The invention has an advantage to provide a more flexible access schemeby allowing end-users IP hosts to have simultaneous access multiplerouters.

Another advantage is that manual configuration of accessible routers isavoided.

A further advantage is that IP hosts, which can only handle singlerouters, are given access to multiple routers.

Still an advantage is that abusive use of services is avoided.

Still another advantage is that secure connections are provided.

The invention will now be described more closely with the aid ofembodiments and with references to enclosed figures.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a view over an access system;

FIG. 2 shows a view over an alternative access system;

FIG. 3 shows a flowchart of the method;

FIG. 4 shows a block schematic over a reply message, and

FIG. 5 shows a block schematic over a reply message.

DETAILED DESCRIPTION OF EMBODIMENTS

FIG. 1 shows a view over an access system ACC1. The system has an accessnode EDA1 to which end-users EU1 and EU2 are connected. Three serviceprovider access routers R1, R2 and R3, providing services to theend-users, are connected to the access node. The first router R1 is anIP router in an Internet VLAN denoted IV1. The second router R2 is avoice gateway in a voice VLAN denoted VV1. The third router R3 is avideo server in a video VLAN denoted VV2. The three routers R1, R2 andR3 have IP MAC addresses MACX, MACY and MACZ respectively. Also a DHCPserver DH1, in a DHCP VLAN denoted DV1, is connected to the access nodeEDA1.

In the access node are arranged MAC filters MX, MY and MZ, which onlylet through the respective IP MAC addresses MACX, MACY and MACZ. AlsoMAC filters MY2 and MZ2, which only let through the respective IP MACaddresses MACY and MACZ, are arranged in the access node. The accessnode also has memories TAB1 and TAB2 as will be more closely describedbelow. A control function CU1 controls the working of the access nodeEDA1. As an alternative the DHCP server DH1 can be connected to thefirst router R1, as is shown in dashed lines in the figure.

The DHCP server DH1 has an address pool AP1 with end-user IP hostaddresses, which can be allocated dynamically.

The end-users EU1 and EU2 can point out which of the services providedvia the routers R1, R2 and R3 they desire to have access to. Theend-user EU1 has determined a set of services consisting of servicesfrom the Internet VLAN IV1, the voice VLAN VV1 and the video VLAN VV2 asshown by dotted lines in the figure. The end user EU2 has determined aset of services from only the Internet VLAN IV1 and the voice VLAN VV1,which also is shown by dotted lines. The services are initially selectedby the respective end-user and are ordered via any conventional means,e.g. by a telephone call to an operator or via a web page.

In the present embodiment of the method the Dynamic Host ConfigurationProtocol DHCP and its different options are utilized. In short the DHCPprotocol allocates IP addresses to the end-user hosts and allocates waysout of the local net via the routers. More information is to be found onthe web at www.ietf.org, number RFC 3442.

When the end-users desire access to the services provided via the edgeaccess routers R1, R2 and R3, they utilize the access system ACC1 in thefollowing manner. As an example the end-user EU1 wants a service on theInternet IV1 provided via the router R1. The end-user EU1 thereforesends a corresponding DHCP request RQ1. The control function, whichlistens to the traffic, recognizes the DHCP request. The access nodeEDA1 is configured such that it can accept the request. The access nodereceives the request RQ1 and the control function CU1 completes it witha DHCP option 82, which identifies the end-user EU1 with the aid of itsport identifier. The access node EDA1 then transmits the completed DHCPrequest, denoted by RQ2, to the DHCP server DH1.

When the DHCP server DH1 receives the DHCP request RQ2 it dynamicallyallocates an end-user IP host address IPH from the address pool AP1, andaccessible routers R1, R2, R3. Access to these routers were once orderedby the end-user EU1 as described above. The server DH1 then forms a DHCPreply message RP1 which includes a DHCP option 121. This option 121indicates which addresses the different routers R1, R2 and R3 have andthe networks that can be reached via each router. The DHCP reply RP1 istransmitted to the access node EDA1.

The access node EDA1 receives the DHCP reply message RP1 and the controlfunction snoops the content in the message. It then makes an ARP requestfor the MAC addresses of the routers and saves the content in the memoryTAB1 as appears from the table below.

Router R1: IP1: MACX IP Router IPN1 0.0.0.0/0 Router R2: IP2: MACY IPRouter IPN2 172.10.0.0/16 192.168.10.0/24 Router R3: IP3: MACZ IP RouterIPN3 10.11.12.0/24 10.11.15.0/24 122.10.0.0/16

The IP router addresses for the routers R1, R2 and R3 are denoted in thetable by IPN1, IPN2 and IPN3 respectively.

The control function CU1 of the access node EDA1 now can set the IP MACaddresses MACX, MACY and MACZ in the respective MAC filters MX, MY andMZ. The end-user EU1 therefore only can reach the routers R1, R2 and R3and not e.g. the end-user EU2. This means that the connections in theaccess system ACC1 are secure and also that the end-users can utilizeonly the services which they are entitled to.

The access node has to send the DHCP reply to the end-user to make therequested service available. Now a problem arises that many end-userscannot handle the DHCP option 121 with several IP router addresses butcan only handle the DHCP option 3 with one IP router address. Thereforethe control function CU1 of the access node EDA1 translates the DHCPoption 121 in the reply message RP1 into DHCP option 3 with the onlynetwork address IPN1 before it sends a DHCP reply message RP2 to theend-user EU1.

The end-user EU1 receives the message RP2 with the IP router addressIPN1 and makes an ARP request ARP1 with this address. When the accessnode EDA1 receives this request it compares the address IPN1 with thecontent in the above memory TAB1. If the requested IP router addresscoincides with the saved IP router address in the table TAB1 the accessnode gives the end-user EU1 access. This access is not only valid forthe requested router R1 but does also comprise access to the routers R2and R3 and the services that they provide.

The ARP request includes not only the IP router address IPN1 but also aMAC address. This MAC address should in the present embodiment be theaddress MACX, but this can be wrong router MAC address for the specificservice. This depends on that the end-user EU1 only is aware of onesingle MAC and router address. When end-user data packets are receivedby the access node, the control function CU1 automatically corrects suchan incorrect MAC address with the aid of the content of the memory TAB1.

In the same manner as described above the system allows access for theend-user EU2 to the requested services provided via the routers R2 andR3. The end-user sends e.g. a DHCP request RQ21 for voice services. Therequest is received by the access node EDA1 and the control functionadds a port identifier and sends a corresponding request RQ22 to theDHCP server DH1. The latter automatically and dynamically allocates anend-user IP host address from the address pool, and accessible routersR2 and R3. The DHCP server forms a DHCP reply message RP21 whichincludes the DHCP option 121. When the access node receives the replyRP21 the control function snoops the message content. The access nodemakes an ARP request for the routers MAC addresses and saves theinformation in the memory TAB2 as appears from the table below.

Router R2: IP2: MACY IP Router IPN2 172.10.0.0/16 192.168.10.0/24 RouterR3: IP3: MACZ IP Router IPN3 10.11.12.0/24 10.11.15.0/24 122.10.0.0/16

The control function will set the IP MAC addresses MACY and MACZ in therespective filters MY2 and MZ2 so that the end-user EU2 only can reachthe routers R2 and R3 and the services provided via them. The accessnode adds the DHCP option 3 to the reply message RP21 and sends thewhole as a message R22 to the end user EU2. The latter then sends an ARPrequest ARP2 including the IP router address IPN2 to the access node,which makes the services provided via the routers R2 and R3 available tothe end-user EU2.

An alternative embodiment will be described in connection with FIG. 2.This embodiment is suitable for operators who use the RADIUS (RemoteAuthentication Dial-in User Service Protocol) protocol forauthentication, authorization and accounting purposes between a BRAS(Broadband Remote Access Server) and an end-user configuration server.The BRAS comprises a RADIUS client RC2 and the configuration server is aRADIUS server RS2. The figure shows a view over an access system ACC2with an access node EDA2, to which end users EU3 and EU4 are connected.A service provider access router R21 is connected to the access node. Inthe same manner as in the previous embodiment a DHCP server DH2 in aDHCP VLAN denoted DV2 is connected to the access node EDA2. The accessnode also has a local DHCP server DH3 connected to the abovementionedRADIUS client RC2. The latter is connected to the centrally locatedRADIUS server RS2. Compared to the DHCP-based model in FIG. 1 theRADIUS-based model replaces the DHCP server DH1 by the local DHCP serverDH3 and the centrally located RADIUS server RS2.

When the end-user EU3 requests for service it will issue a DHCP requestRQ31 in the same manner as described in connection with FIG. 1. Therequest RQ31 will be intercepted by the local DHCP server DH3 in theaccess node. The control function CU2 of the access node EDA2 sends aRADIUS request message RQ32 to the RADIUS server RS2 with thisinformation. The RADIUS message RQ32 includes the content of the DHCPrequest RQ31 and a unique identification of the end-user EU3 by e.g. aport identifier normally used in the DHCP option 82. The RADIUS serverRS2 dynamically allocates an end-user IP host address from the addresspool, and access to relevant routers, e.g. the router R21. The serverRS2 then sends a reply message RP3 providing host configurationinformation similar to that sent by the DHCP server DH1 in FIG. 1. Thereply message RP3 is fed to the local DHCP server DH3 and as in theprevious embodiment the access node EDA2 snoops the information in themessage. The access node also saves the information in a memory TAB3similar to the memory TAB1 described above. In its DHCP reply to the enduser EU3 the access node EDA2 translates the reply message RP3 into areply message RP4 suitable for end-users only supporting the DHCP option3.

In the description above the DHCP option 121 is mentioned. Originallythe DHCP option is targeted towards the end-users who use it to build alist of gateways and corresponding IP subnet. However, device supportfor DHCP option 121 cannot be assumed in general, and static IPconfiguration performed by the end-user of gateways is not considered aviable solution, as already mentioned above. An alternative, describedabove, is to generally assume that the end-user does not support DHCPoption 121 and that the access nodes EDA1 and EDA2 must always do thenecessary frame modification and switching that enables a multi-edgearchitecture.

This implies that the access node must direct the upstream traffic tothe right gateway using layer-3 switching, i.e. switching based on thedestination IP address. Likewise, downstream traffic must be modified soit looks as if it all came from the default gateway, i.e. the source MACaddress must be changed to that of the default gateway.

A variant of this layer-3 switching is to use the access node MACaddress as default gateway address for all end-users. This variant hasthe advantage of only using a single MAC address per access node forend-user traffic. In the present description this MAC address for theaccess node EDA1 is denoted MACE in FIG. 1.

In connection with FIG. 3 the method described above will be summarized.The method starts in a step 301, in which the end-user decides servicesto utilize and informs the network operator about the decision. In theexample the services are provided via the routers R1, R2 and R3. Theend-user, e.g. end-user EU1, sends the DHCP request RQ1 in a step 302and in a step 303 the access node EDA1 receives the request andrecognizes it as a DHCP message. The access node completes in a step 304the request RQ2 with the DHCP option 82, identifying the end-user'sport. In a step 305 the access node sends the request RQ2 to the DHCPserver DH1, which receives it in a step 306. In a step 307 the DHCPserver dynamically allocates both the IP network address to the end-userIP host from the address pool and accessible routers R1, R2 and R3. TheDHCP server DH1 sends the DHCP reply RP1 to the access node in a step308. In a step 309 the access node resolves the IP router addresses andsaves the IP router addresses and IP MAC addresses in its memory TAB1.The IP MAC addresses are set in the MAC filters MX, MY and MZ in a step310. In a step 311 the access node EDA1 adds the DHCP option 3 to thereply RP2 including the IP network address IPN1 and the router IPaddress MACX and sends the reply to the end-user in a step 312.Alternatively the reply RP2 has the IP MAC address MACE of the accessnode itself instead of the MAC address MACX.

In a step 313 the end-user EU1 makes the ARP request ARP1 with theaddresses IPN1 and resolves this to the MAC address MACX. In a step 314the access node EDA1 compares the addresses in the request ARP1 with theaddresses in the memory TAB1. In a step 315 the access node investigateswhether the IP address in the request ARP1 and in the memory TAB1coincide. If not so, an alternative NO1, access is denied for theend-user EU1 in step 316. When the addresses coincide, an alternativeYES1, the access node checks in a step 317 if the MAC address is thecorrect one. In an alternative YES2 the access node in a step 318 allowsthe end-user access to all the routers R1, R2 and R3 providing theservices which the end-user EU1 once decided. In an alternative NO2 theaccess node EDA1 first corrects the MAC address in a step 319 beforeaccess to the routers is allowed. In a step 320 the destination MACaddress and destination IP address are checked in data packets from theend-user.

In FIGS. 4 and 5 are shown more in detail the reply messages RP1 andRP2. As described above the access node EDA1 receives the reply messageRP1 from the DHCP server DH1. The message has a code field 41 statingthat it is an option 121 message, which is recognized by the controlunit CU1. A length field 42 tells the length of the reply message. Afirst destination field 43 states which networks are available via therouter R1, which is defined by its IP router address in a first routeraddress field 44. The message RP1 continues with a second destinationfield 45 stating which networks are available via the router R2. Thisrouter is defined in a second router address field 46. The exemplifiedreply message RP1 has also destination- and router fields for the routerR3, only hinted by dotted lines in the figure.

FIG. 5 shows the reply message RP2 from the access node EDA1 to theend-user EU1. The message has a code field 51 stating that it is anoption 3 message. A length field 52 tells the length of the replymessage. A router address field 53 gives the IP router address to therouter R1 providing the initially requested service.

1-16. (canceled)
 17. A method in an access system providing multipleservices and having an access node for connection to a plurality ofrouters and at least one end user, the method comprising the steps of:receiving in the access node from the at least one end user, a servicerequest for one of the multiple services; receiving in the access node,a dynamically allocated end-user IP host address and accessible routeraddresses suitable for reaching at least two of the multiple services;saving in the access node, the received IP router addresses; and sendingfrom the access node, at least one of the saved IP router addresses tothe end user.
 18. The method according to claim 17, wherein the accesssystem includes a DHCP server, and the method further comprises thesteps of: sending from the access node, the service request to the DHCPserver; dynamically allocating in the DHCP server, the end-user IP hostaddress and accessible router addresses to the routers providing the atleast two of the multiple services; and receiving in the access node,the IP router addresses and resolving IP MAC addresses of correspondingaddresses of the routers and saving the addresses.
 19. The methodaccording to claim 18, wherein the DHCP-server is external to the accessnode.
 20. The method according to claim 18, wherein the DHCP-server isinternal to the access node and is connected to an access node internalRADIUS-server.
 21. The method according to claim 18, further comprisingthe step of sending to the end-user, from the access node, the saved IPMAC address of at least one of the routers and the corresponding savedIP router address.
 22. The method according to claim 18, furthercomprising the step of sending, to the end-user from the access node, anIP MAC address of the access node and at least one of the saved IProuter addresses.
 23. The method according to claim 17, furthercomprising the steps of: determining by the end-user, a set of servicesamong the multiple services; receiving in the access node from the enduser, an Address Resolution Protocol request having at least one of theIP router addresses; comparing in the access node, the received IProuter address with the saved at least two IP router addresses; andallowing the end user access to the routers providing the set ofservices on coincidence with the step of comparing.
 24. The methodaccording to claim 17, wherein the access node has MAC address filtersfor the different routers, and the method further comprises the step ofwriting the saved IP MAC addresses in the corresponding MAC addressfilters.
 25. An arrangement in an access system providing multipleservices, the arrangement comprising: an access node for connection torouters and at least one end user; and a DHCP server; wherein: theaccess node includes means for transmitting from the at least one enduser, a service request to the DHCP server; the DHCP server includesmeans for dynamically allocating the end-user host IP address andaddresses to accessible routers providing at least two of multipleservices and means for sending the addresses to the access node; theaccess node has a memory to save the received IP router and networkaddresses; and the access node includes means for sending at least oneof the saved IP router addresses to the end user.
 26. The arrangementaccording to claim 25, wherein: the access node includes means forresolving the received IP router addresses into the associated IP MACaddresses of the routers; and the access node includes means for savingthe IP MAC addresses in the memory.
 27. The arrangement according toclaim 25, wherein the DHCP server is external to the access node. 28.The arrangement according to claim 25, wherein the DHCP server isinternal to the access node and is connected to an access node internalRADIUS server.
 29. The arrangement according to claim 25, wherein theaccess node includes means for sending to the end-user, the saved IP MACaddress of at least one of the routers and the corresponding at leastone saved IP router address.
 30. The arrangement according to claim 25,wherein the access node includes means for sending to the end-user, anIP MAC address of the access node itself and at least one of the savedIP router addresses.
 31. The arrangement according to claim 25, wherein:the end-user includes means for determining a set of services among themultiple services; the access node includes means for receiving from theend user, an Address Resolution Protocol request having at least one ofthe IP router addresses; the access node includes means for comparingthe received IP router address with the saved at least two IP routeraddresses; and the access node includes means for allowing the end useraccess to the routers providing the set of services on coincidence atthe comparison.
 32. The arrangement according to claims 25, wherein theaccess node has MAC address filters for the routers, the filters storingthe saved IP MAC addresses in the corresponding MAC address filters.